santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 40031] New: - subtree canonicalization produces incorrect result
Date Wed, 12 Jul 2006 19:26:24 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40031>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40031

           Summary: subtree canonicalization produces incorrect result
           Product: Security
           Version: Java 1.3
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: major
          Priority: P1
         Component: Canonicalization
        AssignedTo: security-dev@xml.apache.org
        ReportedBy: bob@directdocs.com


The following XML is taken from the CanonSubtree sample app, but illustrates an
issue that I've encountered, which is causing a signature verification interop
problem (Keytools and xml-sec).

I've slightly altered the XML from the CanonSubtree sample by adding xmlns="" to
the CanonicalizationMethod element. The second chunk of XML is the result of
Apache xml-sec 1.3 subtree (SignedInfo) canonicalization.

<?xml version="1.0" encoding="UTF-8"?>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo>
    <CanonicalizationMethod xmlns=""
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod>
    <SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
    <Reference URI="http://www.w3.org/TR/xml-stylesheet">
      <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
      <DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestValue>
    </Reference>
  </SignedInfo>
<Signature>


<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod>
    <SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
    <Reference URI="http://www.w3.org/TR/xml-stylesheet">
      <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
      <DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestValue>
    </Reference>
  </SignedInfo>

Note that xmlns="" has been omitted from the CanonicalizationMethod element.
This is correct in the context of the subtree prior to adding doc level
namespaces to the subtree root (i.e. <SignedInfo> vs <SignedInfo 
xmlns="http://www.w3.org/2000/09/xmldsig#">), but is incorrect following the
addition of the doc level namespace.

The following code reproduces bug:

package org.apache.xml.security.samples.canonicalization;

import java.io.ByteArrayInputStream;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.apache.xml.security.c14n.Canonicalizer;
import org.apache.xml.security.utils.Constants;
import org.apache.xml.security.utils.XMLUtils;
import org.apache.xpath.XPathAPI;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/**
 *
 *  <at> author Christian Geuer-Pollmann
 */
public class CanonSubTree {
   //J-
   static String input = ""
      + "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
      + "<Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n"
      + "  <SignedInfo><!-- comment inside -->\n"
      + "    <CanonicalizationMethod xmlns=\"\"
Algorithm=\"http://www.w3.org/TR/2001/REC-xml-c14n-20010315\" />\n"
      + "    <SignatureMethod
Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\" />\n"
      + "    <Reference URI=\"http://www.w3.org/TR/xml-stylesheet\">\n"
      + "      <DigestMethod
Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\" />\n"
      + "      <DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestValue>\n"
      + "    </Reference>\n"
      + "  </SignedInfo>\n"
      + "  <SignatureValue>\n"
      + "    fKMmy9GYF2s8rLFrZdVugTOFuWx19ccX7jh5HqFd4vMOY7LWAj52ykjSdvtW3fNY\n"
      + "    PPYGC4MFL19oPSId5GEsMtFMpGXB3XaCtoKjMCHQsN3+kom8YnGf7Ge1JNRcGty5\n"
      + "    0UsoP6Asj47+QR7QECT64uoziha4WRDVyXjDrg24W+U=\n"
      + "  </SignatureValue>\n"
      + "  <KeyInfo>\n"
      + "    <KeyName>Lugh</KeyName>\n"
      + "  </KeyInfo>\n"
      + "</Signature>\n"
      ;
   //J+

   /**
    * Method main
    *
    *  <at> param args
    *  <at> throws Exception
    */
   public static void main(String args[]) throws Exception {
      org.apache.xml.security.Init.init();

      DocumentBuilderFactory dfactory = DocumentBuilderFactory.newInstance();

      dfactory.setNamespaceAware(true);
      dfactory.setValidating(true);

      DocumentBuilder documentBuilder = dfactory.newDocumentBuilder();

      // this is to throw away all validation warnings
      documentBuilder
         .setErrorHandler(new org.apache.xml.security.utils
            .IgnoreAllErrorHandler());

      byte inputBytes[] = input.getBytes();
      Document doc =
         documentBuilder.parse(new ByteArrayInputStream(inputBytes));
      Canonicalizer c14n =
         Canonicalizer
            .getInstance("http://www.w3.org/TR/2001/REC-xml-c14n-20010315");
      Element nscontext = XMLUtils.createDSctx(doc, "ds",
Constants.SignatureSpecNS);

      Node signedInfo = XPathAPI.selectSingleNode(doc, "//ds:SignedInfo",
                                                  nscontext);
      byte outputBytes[] = c14n.canonicalizeSubtree(signedInfo);

      if (outputBytes != null) {
         System.out.println(new String(outputBytes));
      }
   }
}

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

Mime
View raw message